Delegent A Generic Authorisation Server - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Delegent A Generic Authorisation Server

Description:

Possible to isolate authorisation critical code to a few components. ... Privilege: may authorise payments for project Delegent. Constraints: to PBR group ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 21
Provided by: bab683
Category:

less

Transcript and Presenter's Notes

Title: Delegent A Generic Authorisation Server


1
DelegentA Generic Authorisation Server
  • Erik Rissanen
  • Babak Sadighi
  • Policy Based Reasoning Group
  • Swedish Institute of Computer Science (SICS)

2
ScenarioBusiness-2-Business
Company B1
employee
employee
Orders Database
employee
Company A
Sales Records
employee
Company B2
employee
employee
3
Issues
  • Centralised Management of privileges and roles
  • time-consuming
  • error-prone and security risk
  • interferes with the core business
  • does not correspond to the authority and
    responsibility structures

4
Solution
  • Decentralised management of privileges and roles
  • reduces delays for updates
  • increases the level of security
  • gives better flexibility by enabling decision
    makers to implement their decisions
  • corresponds to the actual authority and
    responsibility structures

5
Delegation Model
  • Delegation in terms of creating new permissions
    and authorities
  • One can be an authority to create a permission
    for a certain group without having that
    permission for himself or being the authority to
    create it for himself.
  • Delegation chains show how privileges
    (permissions and authorities) have been
    propagated.
  • Any valid chain of delegation originates from a
    source of authority.

6
Constrained Delegation
  • In order to keep some level of control on how
    privileges are propagated, we need some
    restrictions on delegation chains.
  • Constrained delegation is a mechanism for
    expressing and enforcing restrictions on
    potential delegation chains.
  • Usually constraints are on the groups of users,
    set of actions, set of objects and validity time
    of privileges.

7
Revocation Schemes
  • We have implemented a number of revocation
    schemes based on
  • Who has the authority to revoke a delegation?
  • What should be the consequences of a particular
    revocation?

8
Auditing facilities
  • Within the model a privielege holds only if it is
    created by a valid delegation chain. This means
    that
  • One can trace the source of each privilege
  • One can trace how authorities have been exercised

9
Authorisation Architecture
  • Consolidate
  • Authorisation requests
  • Authorisation management
  • Auditing facilities
  • Isolate and simplify security critical code

10
Authorisation Architecture
Application logi
Audit tools
Admin tools
Application logi
Application logic
Service
Delegent
Service
Service
Data
Possible Directory
11
Authorisation Architecture
  • Components authenticate to each other.
  • Possible to isolate authorisation critical code
    to a few components.
  • Authorisation responsible services and wrapper
    objects.
  • Simple application logic.
  • Delegent authorises management of itself.
    (Delegation model)
  • Object based authorisation model.

12
Implementation
DM Delegation Manager ALM Access Level
Manager GM Group Managers CAPI Constraint API
Delegent Server
13
Delegation Manager
  • Database of delegation chains in the form of a
    dependency graph
  • Keeps track of who has the authority to change
    permissions

14
Access Level Manager
  • Database of access permissions

15
Group Managers
  • Keeps track of group memberships.
  • Can use existing directory as its repository.

16
Constraint API
  • Form an API for various constraints on
    authorisations, such as time intervals.
  • Can be customized for specific applications.

17
Application
  • Queries and updates authorisation information in
    delegent server.
  • Very simple authorisation code since Delegent
    does the hard work.

18
A Delegation Example
  • Issuer Gunnar Bjurel
  • Holder Sverker Janson
  • Privilege may authorise payments for project
    Delegent
  • Constraints
  • to PBR group
  • for period 20020101-20030601
  • Payment lt 20000 Sek.
  • Valid 20020101-20030101

19
Future Plans for Delegent
  • Better user interface
  • Implementing new features such as
  • attribute based access control
  • Support for digital credentials
  • X.509 attribute certificates
  • SAML ACXML, XrML

20
The End
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com